Merge branch 'main' into update-contributing-guides

.github/workflows/ci-model-regression.yml

@@ -865,7 +865,7 @@ jobs:
           echo "to_ts=$TIME_UNIX_NOW" >> $GITHUB_OUTPUT
 
       - name: Publish results as a PR comment
-        uses: marocchino/sticky-pull-request-comment@f61b6cf21ef2fcc468f4345cdfcc9bda741d2343 # v2.6.2
+        uses: marocchino/sticky-pull-request-comment@f6a2580ed520ae15da6076e7410b088d1c5dddd9 # v2.7.0
         if: ${{ always() }}
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

changelog/12696.improvement.md

@@ -0,0 +1 @@
+Use the same session across requests in `RasaNLUHttpInterpreter`

changelog/12703.doc.md

@@ -0,0 +1 @@
+Document support for Vault namespaces.

changelog/12704.improvement.md

@@ -0,0 +1 @@
+Passed request headers from REST channel.

changelog/12712.doc.md

@@ -0,0 +1,2 @@
+Updated PII docs with new section on how to use Rasa X/Enterprise with PII management solution, and a new note on debug
+logs being displayed after the bot message with `rasa shell`.

docs/docs/pii-management.mdx

@@ -240,6 +240,34 @@ The `anonymization_topics` section contains a list of Kafka topics to which the
 Each Kafka topic must have a `name` field and an `anonymization_rules` field. The `name` field specifies the name of the
 Kafka topic. The `anonymization_rules` field specifies the `id` of the anonymization rule list to be used for the Kafka topic.
 
+### Streaming anonymized events to Rasa X/Enterprise with Kafka
+
+Streaming anonymized events to Rasa X/Enterprise is only supported for Rasa X/Enterprise versions `1.3.0` and above.
+In addition, you must use the Kafka event broker, other event broker types are not supported.
+
+You can stream anonymized events to Rasa X/Enterprise via Kafka by adding the `rasa_x_consumer: true` key-value pair to
+the `anonymization_topics` section:
+
+```yaml
+event_broker:
+  type: kafka
+  partition_by_sender: True
+  url: localhost
+  anonymization_topics:
+    - name: topic_1
+      anonymization_rules: rules_1
+      rasa_x_consumer: true
+    - name: topic_2
+      anonymization_rules: rules_2
+```
+
+If multiple Kafka anonymization topics contain the `rasa_x_consumer` key-value pair, the anonymized events will be streamed
+to the Kafka topic that is mapped to the first topic in the `anonymization_topics` list that contains the `rasa_x_consumer`
+key-value pair.
+
+Note that the `rasa_x_consumer` key-value pair is optional. If it is not specified, the anonymized events will be published
+to the Kafka topic, but they will not be streamed to Rasa X/Enterprise.
+
 ## How to enable anonymization of PII in logs
 
 You can enable anonymization of PII in logs by filling the `logger` section in the `endpoints.yml` file.
@@ -257,3 +285,8 @@ The `anonymization_rules` field specifies the `id` of the anonymization rule lis
 We strongly recommend to run with log level INFO in production.
 Running with log level DEBUG will increase the assistant's response latency because of processing delays.
 :::
+
+Note that running `rasa shell` in debug mode with a Kafka event broker might result in logs related to the event publishing
+to be printed to console **after** the bot message. This behaviour is expected because the event anonymization and publishing
+is done asynchronously as a background task, so it will complete after the assistant has already predicted and executed the
+bot response.

docs/docs/secrets-managers.mdx

@@ -66,6 +66,15 @@ and through `endpoints.yml` configuration file.
 Environment variables and `endpoints.yml` configuration file are merged together
 and **the values from the environment variables take precedence**.
 
+:::info New in 3.7
+Vault namespaces can be used to isolate secrets. You can
+configure a namespace with the `VAULT_NAMESPACE` environment variable or the `namespace` key in secrets_manager
+section of the `endpoints.yml` file.
+To learn more about namespaces,
+check out the [Vault namespaces docs](https://developer.hashicorp.com/vault/docs/enterprise/namespaces).
+:::
+
+
 The following environment variables are available:
 
 | Environment Variable          | Description                                                                                    | Default               |
@@ -75,6 +84,7 @@ The following environment variables are available:
 | `VAULT_TOKEN`                 | **Required**. token to authenticate to the vault server                                        |                       |
 | `VAULT_RASA_SECRETS_PATH`     | Path to the secrets in the vault server                                                        | `rasa-secrets`        |
 | `VAULT_TRANSIT_MOUNT_POINT`   | If transit secrets engine is enabled, set this to mount point of the transit engine            |                       |
+| `VAULT_NAMESPACE`             | If namespaces are used, set this to the path of the namespace                                  |                       |
 
 To configure the Vault secrets manager, you can fill the following section in `endpoints.yml` file:
 ```yaml-rasa title="endpoints.yml
@@ -84,6 +94,7 @@ secrets_manager:
     url: "http://localhost:1234" # required - the address of the vault server
     secrets_path: rasa-secrets  # path to the secrets in the vault server if not set it defaults to `rasa-secrets`
     transit_mount_point: transit # if transit secrets engine is enabled, set this to mount point of the transit engine
+    namespace: my-namespace # if namespaces are used, set this to the path of the namespace
 ```
 
 #### Store access credentials in environment variables
@@ -103,6 +114,7 @@ secrets_manager:
     url: "http://localhost:1234"
     secrets_path: rasa-secrets  # if not set it defaults to `rasa-secrets`
     transit_mount_point: transit # if you have enabled transit secrets engine, and you want to use it
+    namespace: my-namespace # if namespaces are used, set this to the path of the namespace
 ```
 
 ### How to configure Tracker Store with Vault Secrets Manager

docs/yarn.lock

@@ -3096,6 +3096,11 @@
     "@babel/runtime" "^7.7.2"
     core-js "^3.4.1"
 
+"@leichtgewicht/ip-codec@^2.0.1":
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/@leichtgewicht/ip-codec/-/ip-codec-2.0.4.tgz#b2ac626d6cb9c8718ab459166d4bb405b8ffa78b"
+  integrity sha512-Hcv+nVC0kZnQ3tD9GVu5xSMR4VVYOteQIr/hwFPVEvPdlXqgGEuRjiheChHgdM+JyqdgNcmzZOX/tnl0JOiI7A==
+
 "@lunelson/sass-calc@^1.2.0":
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/@lunelson/sass-calc/-/sass-calc-1.2.0.tgz#7880a17cea6631f7e5c63315617dd2708809b2c5"
@@ -5634,15 +5639,10 @@ caniuse-api@^3.0.0:
     lodash.memoize "^4.1.2"
     lodash.uniq "^4.5.0"
 
-caniuse-lite@^1.0.0, caniuse-lite@^1.0.30000981, caniuse-lite@^1.0.30001109, caniuse-lite@^1.0.30001124, caniuse-lite@^1.0.30001125, caniuse-lite@^1.0.30001173:
-  version "1.0.30001214"
-  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001214.tgz"
-  integrity sha512-O2/SCpuaU3eASWVaesQirZv1MSjUNOvmugaD8zNSJqw6Vv5SGwoOpA9LJs3pNPfM745nxqPvfZY3MQKY4AKHYg==
-
-caniuse-lite@^1.0.30001219:
-  version "1.0.30001240"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001240.tgz#ec15d125b590602c8731545c5351ff054ad2d52f"
-  integrity sha512-nb8mDzfMdxBDN7ZKx8chWafAdBp5DAAlpWvNyUGe5tcDWd838zpzDN3Rah9cjCqhfOKkrvx40G2SDtP0qiWX/w==
+caniuse-lite@^1.0.0, caniuse-lite@^1.0.30000981, caniuse-lite@^1.0.30001109, caniuse-lite@^1.0.30001124, caniuse-lite@^1.0.30001125, caniuse-lite@^1.0.30001173, caniuse-lite@^1.0.30001219:
+  version "1.0.30001519"
+  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001519.tgz"
+  integrity sha512-0QHgqR+Jv4bxHMp8kZ1Kn8CH55OikjKJ6JmKkZYP1F3D7w+lnFXF70nG5eNfsZS89jadi5Ywy5UCSKLAglIRkg==
 
 cardinal@^2.1.1:
   version "2.1.1"
@@ -7294,19 +7294,19 @@ dns-equal@^1.0.0:
   integrity sha1-s55/HabrCnW6nBcySzR1PEfgZU0=
 
 dns-packet@^1.3.1:
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/dns-packet/-/dns-packet-1.3.1.tgz#12aa426981075be500b910eedcd0b47dd7deda5a"
-  integrity sha512-0UxfQkMhYAUaZI+xrNZOz/as5KgDU0M/fQ9b6SpkyLbk3GEswDi6PADJVaYJradtRVsRIlF1zLyOodbcTCDzUg==
+  version "1.3.4"
+  resolved "https://registry.yarnpkg.com/dns-packet/-/dns-packet-1.3.4.tgz#e3455065824a2507ba886c55a89963bb107dec6f"
+  integrity sha512-BQ6F4vycLXBvdrJZ6S3gZewt6rcrks9KBgM9vrhW+knGRqc8uEdT7fuCwloc7nny5xNoMJ17HGH0R/6fpo8ECA==
   dependencies:
     ip "^1.1.0"
     safe-buffer "^5.0.1"
 
 dns-packet@^5.1.2:
-  version "5.2.1"
-  resolved "https://registry.yarnpkg.com/dns-packet/-/dns-packet-5.2.1.tgz#26cec0be92252a1b97ed106482921192a7e08f72"
-  integrity sha512-JHj2yJeKOqlxzeuYpN1d56GfhzivAxavNwHj9co3qptECel27B1rLY5PifJAvubsInX5pGLDjAHuCfCUc2Zv/w==
+  version "5.4.0"
+  resolved "https://registry.yarnpkg.com/dns-packet/-/dns-packet-5.4.0.tgz#1f88477cf9f27e78a213fb6d118ae38e759a879b"
+  integrity sha512-EgqGeaBB8hLiHLZtp/IbaDQTL8pZ0+IvwzSHA6d7VyMDM+B9hgddEMa9xjK5oYnw0ci0JQ6g2XCD7/f6cafU6g==
   dependencies:
-    ip "^1.1.5"
+    "@leichtgewicht/ip-codec" "^2.0.1"
 
 dns-socket@^4.2.1:
   version "4.2.1"
@@ -11494,9 +11494,9 @@ [email protected], minimatch@^3.0.4:
     brace-expansion "^1.1.7"
 
 minimist@^1.2.0, minimist@^1.2.3, minimist@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+  version "1.2.8"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
+  integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
 
 minipass-collect@^1.0.2:
   version "1.0.2"
@@ -17455,9 +17455,9 @@ winston@^3.2.1:
     winston-transport "^4.4.0"
 
 word-wrap@~1.2.3:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.3.tgz#610636f6b1f703891bd34771ccb17fb93b47079c"
-  integrity sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.4.tgz#cb4b50ec9aca570abd1f52f33cd45b6c61739a9f"
+  integrity sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==
 
 worker-farm@^1.7.0:
   version "1.7.0"